The UK has made several consequential amendments to its primary electronic surveillance law, the Investigatory Powers Act (“IPA”). These changes have the potential to impact the development of certain privacy-enhancing services by technology companies, whilst also widening the scope of the government’s access to certain electronic datasets. There is also the possibility of an impact on the UK’s ‘adequacy’ status under the EU GDPR.
Background
The Investigatory Powers (Amendment) Act 2024 (“IP(A)A”) amends the IPA, which governs the use and oversight of investigatory powers by law enforcement and the security and intelligence agencies. The IPA impacts private sector technology companies who provide electronic communications services which can be subject to surveillance using the powers granted under the IPA.
The IP(A)A was one of the final pieces of legislation to be passed by the Conservative government prior to the dissolution of parliament for the 4July general election, receiving royal assent on 25 April 2024. It is the product of a government review into the effectiveness of the IPA, which entered into force in 2016. That review concluded that changes to the IPA were needed in order to “modernise and update the legal framework surrounding investigatory powers to ensure the security and intelligence agencies, and law enforcement can continue to exercise the capabilities they need to maintain public safety and protect the public from terrorism, and serious crime”.[1]
Key changes
The following is a summary of the key changes brought in by the IP(A)A, with a focus on those likely to be of relevance to the private sector:
Companies now required to notify the Government of planned changes in functionality.
The IP(A)A introduces a new power for the Secretary of State to require companies providing communications products or services to notify the government in advance of any planned changes to those services or their functionality[2].
The purpose of this amendment is to prevent technological changes – such as the introduction of end-to-end encryption – from having a negative effect on the powers and capabilities of the police and intelligence services such as preventing them from accessing the capabilities and communications related data needed to prevent crime and protect national security. The requirement of notification is focused on changes that will impact the police and intelligence services from lawfully accessing data where this outcome can be “reasonably anticipated by the operator, even if this is not the primary motivation.”[3]
The government will use secondary legislation to specify the changes in functionality caught by the requirement[4], as well as the threshold that will be used by the Secretary of State to define the specific factors that must be considered before issuing a notice[5]. Security patches will remain out of scope.
Notably, the amendment does not give the Secretary of State any specific powers to intervene regarding any changes or provide their consent to the change[6].
Nevertheless, companies may have concerns about the need to share commercially sensitive information with the government (taking into account, amongst other factors, freedom of information rights in the UK), as well as longer term impacts on the ability to protect user privacy through the planned technological changes.
Retention of low sensitivity data.
Intelligence agencies routinely utilise ‘bulk personal datasets’ as part of their investigations. These are databases of personal information about large numbers of people, for example an electoral register, telephone directories or travel-related data[7].
The IP(A)A creates a new, light-touch regime for the retention and examination of bulk personal datasets where “the individuals to whom the personal data related to could have no, or only a low, reasonable expectation of privacy in relation to this data.”[8] Going forward, intelligence agencies will no longer be required to obtain a warrant prior to retaining such data. Instead, only the approval of a Judicial Commissioner (a serving or retired judge) will be required[9]. In determining whether the data is low sensitivity, the factors to be considered under the IP(A)A are[10]:
- The nature of the data;
- The extent to which the data has been made public by the individuals or whether the individuals have consented to the data being made public;
- If the data has been published, the extent to which it was published subject to editorial control or by a person acting in accordance with professional standards;
- If the data has been published or is otherwise in the public domain, the extent to which the data is widely known about;
- The extent to which the data has already been used in the public domain.
The Home Office states that, regarding their objectives, the “intelligence services are not interested in examining data that is not operationally relevant, but in finding ways to identify the specific threat in vast quantities of data.”[11]
A ‘reasonable expectation of privacy’ is a turn of phrase that readers may be familiar with from UK privacy law, and specifically the tort of misuse of private information, which has developed over the last 20 years out of the UK’s commitment to the right for a private and family life under the European Convention on Human Rights (ECHR). A similar set of factors has been quoted by the courts in misuse of private information cases.
Impact on data protection adequacy
Under the EU GDPR, the European Commission uses an adequacy decision to determine whether another country provides an equivalent level of data protection to the EU. Where an adequacy decision is granted, personal data may flow freely to that country without any legal restrictions.
In June 2021, the EU Commission published two decisions regarding the UK’s adequacy (one under the EU GDPR, and one under the Law Enforcement Directive in respect of the processing of law enforcement data). As these decisions expire in June 2025, the Commission will work later in 2024 to assess whether to extend the adequacy decisions[12].
The IP(A)A is likely to be scrutinised closely by the Commission as part of this review. The IPA was a relatively new framework at the time of the original adequacy decisions and largely received a positive assessment from the Commission. However, as some of the changes under the IP(A)A – including those highlighted above – can be interpreted as reducing privacy protections, there is a risk that the Commission will view the amended framework in a different light.
[1] Annex A, IPA 2016 impact assessment (publishing.service.gov.uk)
[2] Investigatory Powers (Amendment) Act 2024, s.258A(1).
[3] Investigatory Powers (Amendment) Bill: Notification Requirement (26/04/24)- GOV.UK (www.gov.uk)
[4] Changes to the UK investigatory powers regime receive royal assent | Inside Global Tech
[5] Investigatory Powers (Amendment) Bill: Notification Requirement (26/04/24)- GOV.UK (www.gov.uk)
[6] Investigatory Powers (Amendment) Bill: Notification Requirement (26/04/24)- GOV.UK (www.gov.uk)
[7] Bulk data | MI5 – The Security Service
[8] Investigatory Powers (Amendment) Act 2024, s.226A(1).
[9] Investigatory Powers (Amendment) Act 2024, s.226B(5).
[10] Investigatory Powers (Amendment) Act 2024, s.226A(3).
[11] Investigatory Powers (Amendment) Bill: Bulk Personal Datasets and Third-Party Bulk Personal Datasets (26/04/2024) – GOV.UK (www.gov.uk)